Power plants across the US and Canada could overheat, shut down or be caused to malfunction because of vulnerabilities that leave them open to hacking, according to new research.

If exploited, the vulnerabilities could be used to crash or potentially hijack the servers controlling electronic substations, water utilities and power plants.

Adam Crain, Chris Sistrunk and Adam Todorski, who are working with industrial consultants Automatak, found 25 zero-day vulnerabilities – flaws which have never before been seen in the wild – in the protocol by which power plants and other parts of the electricity grid communicate internally.

Such protocols are rarely examined by security researchers because they are isolated from the internet, the usual source of hacking attacks.

In addition, the specificity of the protocols, known as supervisory control and data acquisition (SCADA) systems, means that the are thought to have a sort of security through obscurity: if few know how they work, then it is hoped no one will have the knowledge to exploit them.

Crain warns this is a false comfort. “If someone tries to breach the control center through the internet, they have to bypass layers of firewalls,” he told Wired’s Kim Zetter. “But someone could go out to a remote substation that has very little physical security and get on the network and take out hundreds of substations potentially. And they don’t necessarily have to get into the substation either.”

Project Robus, the name for the team’s ongoing search for vulnerabilities, has so far reported nine of the potential exploits to the vendor who designed each one, as well as the US Department of Homeland Security.

Most of the vulnerabilities allow potential attackers to send controlling servers into infinite loops, rendering them unable to respond to commands from controllers. That isn’t the same as rendering them unable to control the utilities, but it could mean that the operators in charge of sections of the power grid are blind to conditions on the ground.

The worst of the vulnerabilities exposed so far enables a potential buffer-overflow attack, whereby code stored for one purpose “overflows” its container, and can end up being executed when it shouldn’t be. At its most serious, this allows for code to be injected into servers, which could allow attackers to take over the whole system.